-
Notifications
You must be signed in to change notification settings - Fork 563
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[StepSecurity] ci: Harden GitHub Actions #2325
Merged
mcollina
merged 1 commit into
nodejs:main
from
step-security-bot:stepsecurity_remediation_1696908315
Oct 10, 2023
Merged
[StepSecurity] ci: Harden GitHub Actions #2325
mcollina
merged 1 commit into
nodejs:main
from
step-security-bot:stepsecurity_remediation_1696908315
Oct 10, 2023
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
RafaelGSS
approved these changes
Oct 10, 2023
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #2325 +/- ##
==========================================
- Coverage 85.54% 85.43% -0.12%
==========================================
Files 76 76
Lines 6858 6867 +9
==========================================
Hits 5867 5867
- Misses 991 1000 +9
☔ View full report in Codecov by Sentry. |
mcollina
approved these changes
Oct 10, 2023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
kodiakhq bot
referenced
this pull request
in X-oss-byte/Canary-nextjs
Oct 11, 2023
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [undici](https://undici.nodejs.org) ([source](https://github.com/nodejs/undici)) | [`5.25.4` -> `5.26.0`](https://renovatebot.com/diffs/npm/undici/5.25.4/5.26.0) | [![age](https://developer.mend.io/api/mc/badges/age/npm/undici/5.26.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/undici/5.26.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/undici/5.25.4/5.26.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/undici/5.25.4/5.26.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>nodejs/undici (undici)</summary> ### [`v5.26.0`](https://github.com/nodejs/undici/releases/tag/v5.26.0) [Compare Source](https://github.com/nodejs/undici/compare/5e654f351a9a813fed3e9feff4388b5c4fbda787...v5.26.0) #### What's Changed - use npm install instead of npm ci by [@​Ethan-Arrowood](https://github.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2309](https://github.com/nodejs/undici/pull/2309) - change default header to `node` by [@​Ethan-Arrowood](https://github.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2310](https://github.com/nodejs/undici/pull/2310) - chore: change order of the pseudo-headers by [@​kyrylodolynskyi](https://github.com/kyrylodolynskyi) in [https://github.com/nodejs/undici/pull/2308](https://github.com/nodejs/undici/pull/2308) - fix: Agent.Options.factory should accept URL object or string as parameter by [@​nicole0707](https://github.com/nicole0707) in [https://github.com/nodejs/undici/pull/2295](https://github.com/nodejs/undici/pull/2295) - build(deps-dev): bump sinon from 15.2.0 to 16.1.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2312](https://github.com/nodejs/undici/pull/2312) - test: handle npm ignore-scripts settings by [@​panva](https://github.com/panva) in [https://github.com/nodejs/undici/pull/2313](https://github.com/nodejs/undici/pull/2313) - feat: respect `--max-http-header-size` Node.js flag by [@​balazsorban44](https://github.com/balazsorban44) in [https://github.com/nodejs/undici/pull/2234](https://github.com/nodejs/undici/pull/2234) - fix([#​2311](https://github.com/nodejs/undici/issues/2311)): End stream after body sent by [@​metcoder95](https://github.com/metcoder95) in [https://github.com/nodejs/undici/pull/2314](https://github.com/nodejs/undici/pull/2314) - disallow setting host header in fetch by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2322](https://github.com/nodejs/undici/pull/2322) - \[StepSecurity] ci: Harden GitHub Actions by [@​step-security-bot](https://github.com/step-security-bot) in [https://github.com/nodejs/undici/pull/2325](https://github.com/nodejs/undici/pull/2325) - fix fetch with coverage enabled by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2330](https://github.com/nodejs/undici/pull/2330) - Fix stuck when using http2 POST Buffer by [@​binsee](https://github.com/binsee) in [https://github.com/nodejs/undici/pull/2336](https://github.com/nodejs/undici/pull/2336) - fix: 🏷️ add allowH2 to BuildOptions by [@​binsee](https://github.com/binsee) in [https://github.com/nodejs/undici/pull/2334](https://github.com/nodejs/undici/pull/2334) - fix: 🐛 fix process http2 header by [@​binsee](https://github.com/binsee) in [https://github.com/nodejs/undici/pull/2332](https://github.com/nodejs/undici/pull/2332) #### New Contributors - [@​kyrylodolynskyi](https://github.com/kyrylodolynskyi) made their first contribution in [https://github.com/nodejs/undici/pull/2308](https://github.com/nodejs/undici/pull/2308) - [@​nicole0707](https://github.com/nicole0707) made their first contribution in [https://github.com/nodejs/undici/pull/2295](https://github.com/nodejs/undici/pull/2295) - [@​balazsorban44](https://github.com/balazsorban44) made their first contribution in [https://github.com/nodejs/undici/pull/2234](https://github.com/nodejs/undici/pull/2234) - [@​binsee](https://github.com/binsee) made their first contribution in [https://github.com/nodejs/undici/pull/2336](https://github.com/nodejs/undici/pull/2336) **Full Changelog**: nodejs/undici@v5.23.4...v5.26.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/X-oss-byte/Canary-nextjs).
kodiakhq bot
referenced
this pull request
in X-oss-byte/Nextjs
Oct 11, 2023
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [undici](https://undici.nodejs.org) ([source](https://github.com/nodejs/undici)) | [`5.25.4` -> `5.26.0`](https://renovatebot.com/diffs/npm/undici/5.25.4/5.26.0) | [![age](https://developer.mend.io/api/mc/badges/age/npm/undici/5.26.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/undici/5.26.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/undici/5.25.4/5.26.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/undici/5.25.4/5.26.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>nodejs/undici (undici)</summary> ### [`v5.26.0`](https://github.com/nodejs/undici/releases/tag/v5.26.0) [Compare Source](https://github.com/nodejs/undici/compare/5e654f351a9a813fed3e9feff4388b5c4fbda787...v5.26.0) #### What's Changed - use npm install instead of npm ci by [@​Ethan-Arrowood](https://github.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2309](https://github.com/nodejs/undici/pull/2309) - change default header to `node` by [@​Ethan-Arrowood](https://github.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2310](https://github.com/nodejs/undici/pull/2310) - chore: change order of the pseudo-headers by [@​kyrylodolynskyi](https://github.com/kyrylodolynskyi) in [https://github.com/nodejs/undici/pull/2308](https://github.com/nodejs/undici/pull/2308) - fix: Agent.Options.factory should accept URL object or string as parameter by [@​nicole0707](https://github.com/nicole0707) in [https://github.com/nodejs/undici/pull/2295](https://github.com/nodejs/undici/pull/2295) - build(deps-dev): bump sinon from 15.2.0 to 16.1.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2312](https://github.com/nodejs/undici/pull/2312) - test: handle npm ignore-scripts settings by [@​panva](https://github.com/panva) in [https://github.com/nodejs/undici/pull/2313](https://github.com/nodejs/undici/pull/2313) - feat: respect `--max-http-header-size` Node.js flag by [@​balazsorban44](https://github.com/balazsorban44) in [https://github.com/nodejs/undici/pull/2234](https://github.com/nodejs/undici/pull/2234) - fix([#​2311](https://github.com/nodejs/undici/issues/2311)): End stream after body sent by [@​metcoder95](https://github.com/metcoder95) in [https://github.com/nodejs/undici/pull/2314](https://github.com/nodejs/undici/pull/2314) - disallow setting host header in fetch by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2322](https://github.com/nodejs/undici/pull/2322) - \[StepSecurity] ci: Harden GitHub Actions by [@​step-security-bot](https://github.com/step-security-bot) in [https://github.com/nodejs/undici/pull/2325](https://github.com/nodejs/undici/pull/2325) - fix fetch with coverage enabled by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2330](https://github.com/nodejs/undici/pull/2330) - Fix stuck when using http2 POST Buffer by [@​binsee](https://github.com/binsee) in [https://github.com/nodejs/undici/pull/2336](https://github.com/nodejs/undici/pull/2336) - fix: 🏷️ add allowH2 to BuildOptions by [@​binsee](https://github.com/binsee) in [https://github.com/nodejs/undici/pull/2334](https://github.com/nodejs/undici/pull/2334) - fix: 🐛 fix process http2 header by [@​binsee](https://github.com/binsee) in [https://github.com/nodejs/undici/pull/2332](https://github.com/nodejs/undici/pull/2332) #### New Contributors - [@​kyrylodolynskyi](https://github.com/kyrylodolynskyi) made their first contribution in [https://github.com/nodejs/undici/pull/2308](https://github.com/nodejs/undici/pull/2308) - [@​nicole0707](https://github.com/nicole0707) made their first contribution in [https://github.com/nodejs/undici/pull/2295](https://github.com/nodejs/undici/pull/2295) - [@​balazsorban44](https://github.com/balazsorban44) made their first contribution in [https://github.com/nodejs/undici/pull/2234](https://github.com/nodejs/undici/pull/2234) - [@​binsee](https://github.com/binsee) made their first contribution in [https://github.com/nodejs/undici/pull/2336](https://github.com/nodejs/undici/pull/2336) **Full Changelog**: nodejs/undici@v5.23.4...v5.26.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/X-oss-byte/Nextjs).
kfcampbell
referenced
this pull request
in octokit/rest.js
Oct 16, 2023
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [undici](https://undici.nodejs.org) ([source](https://github.com/nodejs/undici)) | [`5.22.1` -> `5.26.2`](https://renovatebot.com/diffs/npm/undici/5.22.1/5.26.2) | [![age](https://developer.mend.io/api/mc/badges/age/npm/undici/5.26.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/undici/5.26.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/undici/5.22.1/5.26.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/undici/5.22.1/5.26.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2023-45143](https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp) ### Impact Undici clears Authorization headers on cross-origin redirects, but does not clear `Cookie` headers. By design, `cookie` headers are [forbidden request headers](https://fetch.spec.whatwg.org/#forbidden-request-header), disallowing them to be set in `RequestInit.headers` in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. ### Patches This was patched in [e041de359221ebeae04c469e8aff4145764e6d76](https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76), which is included in version 5.26.2. --- ### Release Notes <details> <summary>nodejs/undici (undici)</summary> ### [`v5.26.2`](https://github.com/nodejs/undici/releases/tag/v5.26.2) [Compare Source](https://github.com/nodejs/undici/compare/v5.26.1...v5.26.2) Security Release, CVE-2023-45143. ### [`v5.26.1`](https://github.com/nodejs/undici/releases/tag/v5.26.1) [Compare Source](https://github.com/nodejs/undici/compare/v5.26.0...v5.26.1) #### What's Changed - Fix publish undici-types once and for all! by [@​Ethan-Arrowood](https://github.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2338](https://github.com/nodejs/undici/pull/2338) - Fix node detection omfg by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2341](https://github.com/nodejs/undici/pull/2341) **Full Changelog**: nodejs/undici@v5.26.0...v5.26.1 ### [`v5.26.0`](https://github.com/nodejs/undici/releases/tag/v5.26.0) [Compare Source](https://github.com/nodejs/undici/compare/5e654f351a9a813fed3e9feff4388b5c4fbda787...v5.26.0) #### What's Changed - use npm install instead of npm ci by [@​Ethan-Arrowood](https://github.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2309](https://github.com/nodejs/undici/pull/2309) - change default header to `node` by [@​Ethan-Arrowood](https://github.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2310](https://github.com/nodejs/undici/pull/2310) - chore: change order of the pseudo-headers by [@​kyrylodolynskyi](https://github.com/kyrylodolynskyi) in [https://github.com/nodejs/undici/pull/2308](https://github.com/nodejs/undici/pull/2308) - fix: Agent.Options.factory should accept URL object or string as parameter by [@​nicole0707](https://github.com/nicole0707) in [https://github.com/nodejs/undici/pull/2295](https://github.com/nodejs/undici/pull/2295) - build(deps-dev): bump sinon from 15.2.0 to 16.1.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2312](https://github.com/nodejs/undici/pull/2312) - test: handle npm ignore-scripts settings by [@​panva](https://github.com/panva) in [https://github.com/nodejs/undici/pull/2313](https://github.com/nodejs/undici/pull/2313) - feat: respect `--max-http-header-size` Node.js flag by [@​balazsorban44](https://github.com/balazsorban44) in [https://github.com/nodejs/undici/pull/2234](https://github.com/nodejs/undici/pull/2234) - fix([#​2311](https://github.com/nodejs/undici/issues/2311)): End stream after body sent by [@​metcoder95](https://github.com/metcoder95) in [https://github.com/nodejs/undici/pull/2314](https://github.com/nodejs/undici/pull/2314) - disallow setting host header in fetch by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2322](https://github.com/nodejs/undici/pull/2322) - \[StepSecurity] ci: Harden GitHub Actions by [@​step-security-bot](https://github.com/step-security-bot) in [https://github.com/nodejs/undici/pull/2325](https://github.com/nodejs/undici/pull/2325) - fix fetch with coverage enabled by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2330](https://github.com/nodejs/undici/pull/2330) - Fix stuck when using http2 POST Buffer by [@​binsee](https://github.com/binsee) in [https://github.com/nodejs/undici/pull/2336](https://github.com/nodejs/undici/pull/2336) - fix: 🏷️ add allowH2 to BuildOptions by [@​binsee](https://github.com/binsee) in [https://github.com/nodejs/undici/pull/2334](https://github.com/nodejs/undici/pull/2334) - fix: 🐛 fix process http2 header by [@​binsee](https://github.com/binsee) in [https://github.com/nodejs/undici/pull/2332](https://github.com/nodejs/undici/pull/2332) #### New Contributors - [@​kyrylodolynskyi](https://github.com/kyrylodolynskyi) made their first contribution in [https://github.com/nodejs/undici/pull/2308](https://github.com/nodejs/undici/pull/2308) - [@​nicole0707](https://github.com/nicole0707) made their first contribution in [https://github.com/nodejs/undici/pull/2295](https://github.com/nodejs/undici/pull/2295) - [@​balazsorban44](https://github.com/balazsorban44) made their first contribution in [https://github.com/nodejs/undici/pull/2234](https://github.com/nodejs/undici/pull/2234) - [@​binsee](https://github.com/binsee) made their first contribution in [https://github.com/nodejs/undici/pull/2336](https://github.com/nodejs/undici/pull/2336) **Full Changelog**: nodejs/undici@v5.23.4...v5.26.0 ### [`v5.25.4`](https://github.com/nodejs/undici/compare/v5.25.3...5e654f351a9a813fed3e9feff4388b5c4fbda787) [Compare Source](https://github.com/nodejs/undici/compare/v5.25.3...5e654f351a9a813fed3e9feff4388b5c4fbda787) ### [`v5.25.3`](https://github.com/nodejs/undici/releases/tag/v5.25.3) [Compare Source](https://github.com/nodejs/undici/compare/v5.25.2...v5.25.3) #### What's Changed - perf: improve parse-url implementation by [@​anonrig](https://github.com/anonrig) in [https://github.com/nodejs/undici/pull/2286](https://github.com/nodejs/undici/pull/2286) - test: enable websockets inclusion in WPTReport by [@​panva](https://github.com/panva) in [https://github.com/nodejs/undici/pull/2284](https://github.com/nodejs/undici/pull/2284) - remove npm run test from pre-commit hook by [@​dancastillo](https://github.com/dancastillo) in [https://github.com/nodejs/undici/pull/2296](https://github.com/nodejs/undici/pull/2296) - perf: use [@​fastify/busboy](https://github.com/fastify/busboy) by [@​gurgunday](https://github.com/gurgunday) in [https://github.com/nodejs/undici/pull/2211](https://github.com/nodejs/undici/pull/2211) - Disable finalizationregistry if node code cov by [@​mcollina](https://github.com/mcollina) in [https://github.com/nodejs/undici/pull/2298](https://github.com/nodejs/undici/pull/2298) #### New Contributors - [@​gurgunday](https://github.com/gurgunday) made their first contribution in [https://github.com/nodejs/undici/pull/2211](https://github.com/nodejs/undici/pull/2211) **Full Changelog**: nodejs/undici@v5.25.2...v5.25.3 ### [`v5.25.2`](https://github.com/nodejs/undici/releases/tag/v5.25.2) [Compare Source](https://github.com/nodejs/undici/compare/v5.25.1...v5.25.2) #### What's Changed - Add Khaf to releasers by [@​mcollina](https://github.com/mcollina) in [https://github.com/nodejs/undici/pull/2276](https://github.com/nodejs/undici/pull/2276) - fix: fix request with readable mode is object by [@​killagu](https://github.com/killagu) in [https://github.com/nodejs/undici/pull/2279](https://github.com/nodejs/undici/pull/2279) - fix loading websockets when node is built w/ --without-ssl by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2282](https://github.com/nodejs/undici/pull/2282) #### New Contributors - [@​killagu](https://github.com/killagu) made their first contribution in [https://github.com/nodejs/undici/pull/2279](https://github.com/nodejs/undici/pull/2279) **Full Changelog**: nodejs/undici@v5.25.1...v5.25.2 ### [`v5.25.1`](https://github.com/nodejs/undici/releases/tag/v5.25.1) [Compare Source](https://github.com/nodejs/undici/compare/v5.25.0...v5.25.1) #### What's Changed - Add publish types script by [@​Ethan-Arrowood](https://github.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2273](https://github.com/nodejs/undici/pull/2273) **Full Changelog**: nodejs/undici@v5.25.0...v5.25.1 ### [`v5.25.0`](https://github.com/nodejs/undici/releases/tag/v5.25.0) [Compare Source](https://github.com/nodejs/undici/compare/v5.24.0...v5.25.0) #### What's Changed - fix: h2 without body by [@​metcoder95](https://github.com/metcoder95) in [https://github.com/nodejs/undici/pull/2258](https://github.com/nodejs/undici/pull/2258) - ci: remove duplicated runs by [@​metcoder95](https://github.com/metcoder95) in [https://github.com/nodejs/undici/pull/2265](https://github.com/nodejs/undici/pull/2265) - improve documentation of timeouts by making the units clear in all places by [@​mcfedr](https://github.com/mcfedr) in [https://github.com/nodejs/undici/pull/2266](https://github.com/nodejs/undici/pull/2266) - expose websocket in node bundle by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2217](https://github.com/nodejs/undici/pull/2217) - test: fix Fetch/HTTP2 tests by [@​metcoder95](https://github.com/metcoder95) in [https://github.com/nodejs/undici/pull/2263](https://github.com/nodejs/undici/pull/2263) - fix undici when node is built with --without-ssl by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2272](https://github.com/nodejs/undici/pull/2272) - fix: Fix type definition for Client Interceptors by [@​ComradeCow](https://github.com/ComradeCow) in [https://github.com/nodejs/undici/pull/2269](https://github.com/nodejs/undici/pull/2269) - Fix http2 agent by [@​mcollina](https://github.com/mcollina) in [https://github.com/nodejs/undici/pull/2275](https://github.com/nodejs/undici/pull/2275) #### New Contributors - [@​ComradeCow](https://github.com/ComradeCow) made their first contribution in [https://github.com/nodejs/undici/pull/2269](https://github.com/nodejs/undici/pull/2269) **Full Changelog**: nodejs/undici@v5.24.0...v5.25.0 ### [`v5.24.0`](https://github.com/nodejs/undici/releases/tag/v5.24.0) [Compare Source](https://github.com/nodejs/undici/compare/v5.23.0...v5.24.0) #### Notable Changes - feat: Add H2 support by [@​metcoder95](https://github.com/metcoder95) in [https://github.com/nodejs/undici/pull/2061](https://github.com/nodejs/undici/pull/2061) #### What's Changed - build(deps): bump step-security/harden-runner from 2.4.1 to 2.5.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2203](https://github.com/nodejs/undici/pull/2203) - better stack trace for body.json by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2215](https://github.com/nodejs/undici/pull/2215) - allow http & https websocket urls by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2218](https://github.com/nodejs/undici/pull/2218) - build(deps-dev): bump [@​sinonjs/fake-timers](https://github.com/sinonjs/fake-timers) from 10.3.0 to 11.1.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2221](https://github.com/nodejs/undici/pull/2221) - fix: pass ProxyAgent proxy status code error by [@​NBNGaming](https://github.com/NBNGaming) in [https://github.com/nodejs/undici/pull/2162](https://github.com/nodejs/undici/pull/2162) - fix failing test by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2223](https://github.com/nodejs/undici/pull/2223) - docs: update MockPool.md intercept method description by [@​capaj](https://github.com/capaj) in [https://github.com/nodejs/undici/pull/2220](https://github.com/nodejs/undici/pull/2220) - Update wpts by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2226](https://github.com/nodejs/undici/pull/2226) - build(deps): bump github/codeql-action from 2.21.2 to 2.21.5 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2240](https://github.com/nodejs/undici/pull/2240) - build(deps): bump actions/setup-node from 3.6.0 to 3.8.1 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2237](https://github.com/nodejs/undici/pull/2237) - build(deps): bump fastify/github-action-merge-dependabot from 3.9.0 to 3.9.1 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2236](https://github.com/nodejs/undici/pull/2236) - build(deps): bump actions/checkout from 3.5.3 to 3.6.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2241](https://github.com/nodejs/undici/pull/2241) - build(deps): bump actions/dependency-review-action from 3.0.6 to 3.0.8 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2238](https://github.com/nodejs/undici/pull/2238) - fix: aborting request with non-object error by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2243](https://github.com/nodejs/undici/pull/2243) - fix: preserve file path when parsing formdata by [@​jimmywarting](https://github.com/jimmywarting) in [https://github.com/nodejs/undici/pull/2245](https://github.com/nodejs/undici/pull/2245) - build(deps-dev): bump tsd from 0.28.1 to 0.29.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2246](https://github.com/nodejs/undici/pull/2246) - Updated benchmarks by [@​mcollina](https://github.com/mcollina) in [https://github.com/nodejs/undici/pull/2250](https://github.com/nodejs/undici/pull/2250) - Fix fetch in node v20.6.0 by [@​mcollina](https://github.com/mcollina) in [https://github.com/nodejs/undici/pull/2251](https://github.com/nodejs/undici/pull/2251) - Maybe fix v20 by [@​mcollina](https://github.com/mcollina) in [https://github.com/nodejs/undici/pull/2252](https://github.com/nodejs/undici/pull/2252) - feat: Add H2 support by [@​metcoder95](https://github.com/metcoder95) in [https://github.com/nodejs/undici/pull/2061](https://github.com/nodejs/undici/pull/2061) - docs: fix tables in README by [@​regseb](https://github.com/regseb) in [https://github.com/nodejs/undici/pull/2254](https://github.com/nodejs/undici/pull/2254) - Fix http2 fetch test by [@​mcollina](https://github.com/mcollina) in [https://github.com/nodejs/undici/pull/2253](https://github.com/nodejs/undici/pull/2253) #### New Contributors - [@​NBNGaming](https://github.com/NBNGaming) made their first contribution in [https://github.com/nodejs/undici/pull/2162](https://github.com/nodejs/undici/pull/2162) - [@​capaj](https://github.com/capaj) made their first contribution in [https://github.com/nodejs/undici/pull/2220](https://github.com/nodejs/undici/pull/2220) - [@​regseb](https://github.com/regseb) made their first contribution in [https://github.com/nodejs/undici/pull/2254](https://github.com/nodejs/undici/pull/2254) **Full Changelog**: nodejs/undici@v5.23.0...v5.24.0 ### [`v5.23.0`](https://github.com/nodejs/undici/releases/tag/v5.23.0) [Compare Source](https://github.com/nodejs/undici/compare/v5.22.1...v5.23.0) #### What's Changed - bump engines to node >= 16 by [@​ronag](https://github.com/ronag) in [https://github.com/nodejs/undici/pull/2119](https://github.com/nodejs/undici/pull/2119) - Revert "bump engines to node >= 16 ([#​2119](https://github.com/nodejs/undici/issues/2119))" by [@​ronag](https://github.com/ronag) in [https://github.com/nodejs/undici/pull/2121](https://github.com/nodejs/undici/pull/2121) - fetch: set referrer properly by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2125](https://github.com/nodejs/undici/pull/2125) - fix: support truncated gzip by [@​jimmywarting](https://github.com/jimmywarting) in [https://github.com/nodejs/undici/pull/2126](https://github.com/nodejs/undici/pull/2126) - workflow: apply security best practices by [@​step-security-bot](https://github.com/step-security-bot) in [https://github.com/nodejs/undici/pull/2130](https://github.com/nodejs/undici/pull/2130) - build(deps): bump actions/upload-artifact from 3.1.0 to 3.1.2 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2135](https://github.com/nodejs/undici/pull/2135) - build(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.4 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2133](https://github.com/nodejs/undici/pull/2133) - build(deps): bump node from 18-alpine to 20-alpine in /build by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2131](https://github.com/nodejs/undici/pull/2131) - build(deps): bump pkgjs/action from 0.1.6 to 0.1.7 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2136](https://github.com/nodejs/undici/pull/2136) - build(deps): bump actions/checkout from 3.1.0 to 3.5.2 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2132](https://github.com/nodejs/undici/pull/2132) - build(deps-dev): bump jsdom from 21.1.2 to 22.1.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2142](https://github.com/nodejs/undici/pull/2142) - build(deps): bump fastify/github-action-merge-dependabot from 3.7.0 to 3.8.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2148](https://github.com/nodejs/undici/pull/2148) - fix(pr): use correct pr template file by [@​AugustinMauroy](https://github.com/AugustinMauroy) in [https://github.com/nodejs/undici/pull/2141](https://github.com/nodejs/undici/pull/2141) - Additional WebSocket send tests to cover all payload size categories by [@​jawj](https://github.com/jawj) in [https://github.com/nodejs/undici/pull/2149](https://github.com/nodejs/undici/pull/2149) - fix: reverse decompression order of "Content-Encoding" encodings (fixes [#​2158](https://github.com/nodejs/undici/issues/2158)) by [@​rychkog](https://github.com/rychkog) in [https://github.com/nodejs/undici/pull/2159](https://github.com/nodejs/undici/pull/2159) - fix: keep running WPTs if a test times out by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2165](https://github.com/nodejs/undici/pull/2165) - feat: add build environment info by [@​mhdawson](https://github.com/mhdawson) in [https://github.com/nodejs/undici/pull/2168](https://github.com/nodejs/undici/pull/2168) - fix: forward error reason to fetch controller by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2172](https://github.com/nodejs/undici/pull/2172) - stricter types for bodymixin.json by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2181](https://github.com/nodejs/undici/pull/2181) - chore: Renable autoSelectFamily tests. by [@​ShogunPanda](https://github.com/ShogunPanda) in [https://github.com/nodejs/undici/pull/2180](https://github.com/nodejs/undici/pull/2180) - build(deps): bump actions/dependency-review-action from 3.0.4 to 3.0.6 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2147](https://github.com/nodejs/undici/pull/2147) - build(deps): bump github/codeql-action from 2.3.2 to 2.20.3 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2185](https://github.com/nodejs/undici/pull/2185) - fix: fetch resource timing performance entry names should be strings by [@​GaryWilber](https://github.com/GaryWilber) in [https://github.com/nodejs/undici/pull/2188](https://github.com/nodejs/undici/pull/2188) - build(deps): bump actions/checkout from 3.5.2 to 3.5.3 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2176](https://github.com/nodejs/undici/pull/2176) - build(deps): bump fastify/github-action-merge-dependabot from 3.8.0 to 3.9.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2177](https://github.com/nodejs/undici/pull/2177) - build(deps): bump ossf/scorecard-action from 2.1.3 to 2.2.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2178](https://github.com/nodejs/undici/pull/2178) - build(deps): bump step-security/harden-runner from 2.4.0 to 2.4.1 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2175](https://github.com/nodejs/undici/pull/2175) - test: fix `autoselectfamily` on platforms without IPv6 support by [@​LiviaMedeiros](https://github.com/LiviaMedeiros) in [https://github.com/nodejs/undici/pull/2197](https://github.com/nodejs/undici/pull/2197) - fix: make multipart/form-data boundary string more consistent by [@​LiviaMedeiros](https://github.com/LiviaMedeiros) in [https://github.com/nodejs/undici/pull/2196](https://github.com/nodejs/undici/pull/2196) - docs: add proxy agent options docs by [@​dancastillo](https://github.com/dancastillo) in [https://github.com/nodejs/undici/pull/2193](https://github.com/nodejs/undici/pull/2193) - build(deps): bump github/codeql-action from 2.20.3 to 2.21.2 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2205](https://github.com/nodejs/undici/pull/2205) - feat: make use of `addAbortListener` where applicable by [@​atlowChemi](https://github.com/atlowChemi) in [https://github.com/nodejs/undici/pull/2195](https://github.com/nodejs/undici/pull/2195) #### New Contributors - [@​step-security-bot](https://github.com/step-security-bot) made their first contribution in [https://github.com/nodejs/undici/pull/2130](https://github.com/nodejs/undici/pull/2130) - [@​AugustinMauroy](https://github.com/AugustinMauroy) made their first contribution in [https://github.com/nodejs/undici/pull/2141](https://github.com/nodejs/undici/pull/2141) - [@​rychkog](https://github.com/rychkog) made their first contribution in [https://github.com/nodejs/undici/pull/2159](https://github.com/nodejs/undici/pull/2159) - [@​mhdawson](https://github.com/mhdawson) made their first contribution in [https://github.com/nodejs/undici/pull/2168](https://github.com/nodejs/undici/pull/2168) - [@​GaryWilber](https://github.com/GaryWilber) made their first contribution in [https://github.com/nodejs/undici/pull/2188](https://github.com/nodejs/undici/pull/2188) - [@​atlowChemi](https://github.com/atlowChemi) made their first contribution in [https://github.com/nodejs/undici/pull/2195](https://github.com/nodejs/undici/pull/2195) **Full Changelog**: nodejs/undici@v5.22.1...v5.23.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/octokit/rest.js). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xOS4yIiwidXBkYXRlZEluVmVyIjoiMzcuMTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate bot
referenced
this pull request
in specfy/specfy
Oct 16, 2023
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [undici](https://undici.nodejs.org) ([source](https://github.com/nodejs/undici)) | [`5.23.0` -> `5.26.2`](https://renovatebot.com/diffs/npm/undici/5.23.0/5.26.2) | [![age](https://developer.mend.io/api/mc/badges/age/npm/undici/5.26.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/undici/5.26.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/undici/5.23.0/5.26.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/undici/5.23.0/5.26.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2023-45143](https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp) ### Impact Undici clears Authorization headers on cross-origin redirects, but does not clear `Cookie` headers. By design, `cookie` headers are [forbidden request headers](https://fetch.spec.whatwg.org/#forbidden-request-header), disallowing them to be set in `RequestInit.headers` in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. ### Patches This was patched in [e041de359221ebeae04c469e8aff4145764e6d76](https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76), which is included in version 5.26.2. --- ### Release Notes <details> <summary>nodejs/undici (undici)</summary> ### [`v5.26.2`](https://github.com/nodejs/undici/releases/tag/v5.26.2) [Compare Source](https://github.com/nodejs/undici/compare/v5.26.1...v5.26.2) Security Release, CVE-2023-45143. ### [`v5.26.1`](https://github.com/nodejs/undici/releases/tag/v5.26.1) [Compare Source](https://github.com/nodejs/undici/compare/v5.26.0...v5.26.1) #### What's Changed - Fix publish undici-types once and for all! by [@​Ethan-Arrowood](https://github.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2338](https://github.com/nodejs/undici/pull/2338) - Fix node detection omfg by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2341](https://github.com/nodejs/undici/pull/2341) **Full Changelog**: nodejs/undici@v5.26.0...v5.26.1 ### [`v5.26.0`](https://github.com/nodejs/undici/releases/tag/v5.26.0) [Compare Source](https://github.com/nodejs/undici/compare/5e654f351a9a813fed3e9feff4388b5c4fbda787...v5.26.0) #### What's Changed - use npm install instead of npm ci by [@​Ethan-Arrowood](https://github.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2309](https://github.com/nodejs/undici/pull/2309) - change default header to `node` by [@​Ethan-Arrowood](https://github.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2310](https://github.com/nodejs/undici/pull/2310) - chore: change order of the pseudo-headers by [@​kyrylodolynskyi](https://github.com/kyrylodolynskyi) in [https://github.com/nodejs/undici/pull/2308](https://github.com/nodejs/undici/pull/2308) - fix: Agent.Options.factory should accept URL object or string as parameter by [@​nicole0707](https://github.com/nicole0707) in [https://github.com/nodejs/undici/pull/2295](https://github.com/nodejs/undici/pull/2295) - build(deps-dev): bump sinon from 15.2.0 to 16.1.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2312](https://github.com/nodejs/undici/pull/2312) - test: handle npm ignore-scripts settings by [@​panva](https://github.com/panva) in [https://github.com/nodejs/undici/pull/2313](https://github.com/nodejs/undici/pull/2313) - feat: respect `--max-http-header-size` Node.js flag by [@​balazsorban44](https://github.com/balazsorban44) in [https://github.com/nodejs/undici/pull/2234](https://github.com/nodejs/undici/pull/2234) - fix([#​2311](https://github.com/nodejs/undici/issues/2311)): End stream after body sent by [@​metcoder95](https://github.com/metcoder95) in [https://github.com/nodejs/undici/pull/2314](https://github.com/nodejs/undici/pull/2314) - disallow setting host header in fetch by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2322](https://github.com/nodejs/undici/pull/2322) - \[StepSecurity] ci: Harden GitHub Actions by [@​step-security-bot](https://github.com/step-security-bot) in [https://github.com/nodejs/undici/pull/2325](https://github.com/nodejs/undici/pull/2325) - fix fetch with coverage enabled by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2330](https://github.com/nodejs/undici/pull/2330) - Fix stuck when using http2 POST Buffer by [@​binsee](https://github.com/binsee) in [https://github.com/nodejs/undici/pull/2336](https://github.com/nodejs/undici/pull/2336) - fix: 🏷️ add allowH2 to BuildOptions by [@​binsee](https://github.com/binsee) in [https://github.com/nodejs/undici/pull/2334](https://github.com/nodejs/undici/pull/2334) - fix: 🐛 fix process http2 header by [@​binsee](https://github.com/binsee) in [https://github.com/nodejs/undici/pull/2332](https://github.com/nodejs/undici/pull/2332) #### New Contributors - [@​kyrylodolynskyi](https://github.com/kyrylodolynskyi) made their first contribution in [https://github.com/nodejs/undici/pull/2308](https://github.com/nodejs/undici/pull/2308) - [@​nicole0707](https://github.com/nicole0707) made their first contribution in [https://github.com/nodejs/undici/pull/2295](https://github.com/nodejs/undici/pull/2295) - [@​balazsorban44](https://github.com/balazsorban44) made their first contribution in [https://github.com/nodejs/undici/pull/2234](https://github.com/nodejs/undici/pull/2234) - [@​binsee](https://github.com/binsee) made their first contribution in [https://github.com/nodejs/undici/pull/2336](https://github.com/nodejs/undici/pull/2336) **Full Changelog**: nodejs/undici@v5.23.4...v5.26.0 ### [`v5.25.4`](https://github.com/nodejs/undici/compare/v5.25.3...5e654f351a9a813fed3e9feff4388b5c4fbda787) [Compare Source](https://github.com/nodejs/undici/compare/v5.25.3...5e654f351a9a813fed3e9feff4388b5c4fbda787) ### [`v5.25.3`](https://github.com/nodejs/undici/releases/tag/v5.25.3) [Compare Source](https://github.com/nodejs/undici/compare/v5.25.2...v5.25.3) #### What's Changed - perf: improve parse-url implementation by [@​anonrig](https://github.com/anonrig) in [https://github.com/nodejs/undici/pull/2286](https://github.com/nodejs/undici/pull/2286) - test: enable websockets inclusion in WPTReport by [@​panva](https://github.com/panva) in [https://github.com/nodejs/undici/pull/2284](https://github.com/nodejs/undici/pull/2284) - remove npm run test from pre-commit hook by [@​dancastillo](https://github.com/dancastillo) in [https://github.com/nodejs/undici/pull/2296](https://github.com/nodejs/undici/pull/2296) - perf: use [@​fastify/busboy](https://github.com/fastify/busboy) by [@​gurgunday](https://github.com/gurgunday) in [https://github.com/nodejs/undici/pull/2211](https://github.com/nodejs/undici/pull/2211) - Disable finalizationregistry if node code cov by [@​mcollina](https://github.com/mcollina) in [https://github.com/nodejs/undici/pull/2298](https://github.com/nodejs/undici/pull/2298) #### New Contributors - [@​gurgunday](https://github.com/gurgunday) made their first contribution in [https://github.com/nodejs/undici/pull/2211](https://github.com/nodejs/undici/pull/2211) **Full Changelog**: nodejs/undici@v5.25.2...v5.25.3 ### [`v5.25.2`](https://github.com/nodejs/undici/releases/tag/v5.25.2) [Compare Source](https://github.com/nodejs/undici/compare/v5.25.1...v5.25.2) #### What's Changed - Add Khaf to releasers by [@​mcollina](https://github.com/mcollina) in [https://github.com/nodejs/undici/pull/2276](https://github.com/nodejs/undici/pull/2276) - fix: fix request with readable mode is object by [@​killagu](https://github.com/killagu) in [https://github.com/nodejs/undici/pull/2279](https://github.com/nodejs/undici/pull/2279) - fix loading websockets when node is built w/ --without-ssl by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2282](https://github.com/nodejs/undici/pull/2282) #### New Contributors - [@​killagu](https://github.com/killagu) made their first contribution in [https://github.com/nodejs/undici/pull/2279](https://github.com/nodejs/undici/pull/2279) **Full Changelog**: nodejs/undici@v5.25.1...v5.25.2 ### [`v5.25.1`](https://github.com/nodejs/undici/releases/tag/v5.25.1) [Compare Source](https://github.com/nodejs/undici/compare/v5.25.0...v5.25.1) #### What's Changed - Add publish types script by [@​Ethan-Arrowood](https://github.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2273](https://github.com/nodejs/undici/pull/2273) **Full Changelog**: nodejs/undici@v5.25.0...v5.25.1 ### [`v5.25.0`](https://github.com/nodejs/undici/releases/tag/v5.25.0) [Compare Source](https://github.com/nodejs/undici/compare/v5.24.0...v5.25.0) #### What's Changed - fix: h2 without body by [@​metcoder95](https://github.com/metcoder95) in [https://github.com/nodejs/undici/pull/2258](https://github.com/nodejs/undici/pull/2258) - ci: remove duplicated runs by [@​metcoder95](https://github.com/metcoder95) in [https://github.com/nodejs/undici/pull/2265](https://github.com/nodejs/undici/pull/2265) - improve documentation of timeouts by making the units clear in all places by [@​mcfedr](https://github.com/mcfedr) in [https://github.com/nodejs/undici/pull/2266](https://github.com/nodejs/undici/pull/2266) - expose websocket in node bundle by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2217](https://github.com/nodejs/undici/pull/2217) - test: fix Fetch/HTTP2 tests by [@​metcoder95](https://github.com/metcoder95) in [https://github.com/nodejs/undici/pull/2263](https://github.com/nodejs/undici/pull/2263) - fix undici when node is built with --without-ssl by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2272](https://github.com/nodejs/undici/pull/2272) - fix: Fix type definition for Client Interceptors by [@​ComradeCow](https://github.com/ComradeCow) in [https://github.com/nodejs/undici/pull/2269](https://github.com/nodejs/undici/pull/2269) - Fix http2 agent by [@​mcollina](https://github.com/mcollina) in [https://github.com/nodejs/undici/pull/2275](https://github.com/nodejs/undici/pull/2275) #### New Contributors - [@​ComradeCow](https://github.com/ComradeCow) made their first contribution in [https://github.com/nodejs/undici/pull/2269](https://github.com/nodejs/undici/pull/2269) **Full Changelog**: nodejs/undici@v5.24.0...v5.25.0 ### [`v5.24.0`](https://github.com/nodejs/undici/releases/tag/v5.24.0) [Compare Source](https://github.com/nodejs/undici/compare/v5.23.0...v5.24.0) #### Notable Changes - feat: Add H2 support by [@​metcoder95](https://github.com/metcoder95) in [https://github.com/nodejs/undici/pull/2061](https://github.com/nodejs/undici/pull/2061) #### What's Changed - build(deps): bump step-security/harden-runner from 2.4.1 to 2.5.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2203](https://github.com/nodejs/undici/pull/2203) - better stack trace for body.json by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2215](https://github.com/nodejs/undici/pull/2215) - allow http & https websocket urls by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2218](https://github.com/nodejs/undici/pull/2218) - build(deps-dev): bump [@​sinonjs/fake-timers](https://github.com/sinonjs/fake-timers) from 10.3.0 to 11.1.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2221](https://github.com/nodejs/undici/pull/2221) - fix: pass ProxyAgent proxy status code error by [@​NBNGaming](https://github.com/NBNGaming) in [https://github.com/nodejs/undici/pull/2162](https://github.com/nodejs/undici/pull/2162) - fix failing test by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2223](https://github.com/nodejs/undici/pull/2223) - docs: update MockPool.md intercept method description by [@​capaj](https://github.com/capaj) in [https://github.com/nodejs/undici/pull/2220](https://github.com/nodejs/undici/pull/2220) - Update wpts by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2226](https://github.com/nodejs/undici/pull/2226) - build(deps): bump github/codeql-action from 2.21.2 to 2.21.5 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2240](https://github.com/nodejs/undici/pull/2240) - build(deps): bump actions/setup-node from 3.6.0 to 3.8.1 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2237](https://github.com/nodejs/undici/pull/2237) - build(deps): bump fastify/github-action-merge-dependabot from 3.9.0 to 3.9.1 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2236](https://github.com/nodejs/undici/pull/2236) - build(deps): bump actions/checkout from 3.5.3 to 3.6.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2241](https://github.com/nodejs/undici/pull/2241) - build(deps): bump actions/dependency-review-action from 3.0.6 to 3.0.8 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2238](https://github.com/nodejs/undici/pull/2238) - fix: aborting request with non-object error by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2243](https://github.com/nodejs/undici/pull/2243) - fix: preserve file path when parsing formdata by [@​jimmywarting](https://github.com/jimmywarting) in [https://github.com/nodejs/undici/pull/2245](https://github.com/nodejs/undici/pull/2245) - build(deps-dev): bump tsd from 0.28.1 to 0.29.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2246](https://github.com/nodejs/undici/pull/2246) - Updated benchmarks by [@​mcollina](https://github.com/mcollina) in [https://github.com/nodejs/undici/pull/2250](https://github.com/nodejs/undici/pull/2250) - Fix fetch in node v20.6.0 by [@​mcollina](https://github.com/mcollina) in [https://github.com/nodejs/undici/pull/2251](https://github.com/nodejs/undici/pull/2251) - Maybe fix v20 by [@​mcollina](https://github.com/mcollina) in [https://github.com/nodejs/undici/pull/2252](https://github.com/nodejs/undici/pull/2252) - feat: Add H2 support by [@​metcoder95](https://github.com/metcoder95) in [https://github.com/nodejs/undici/pull/2061](https://github.com/nodejs/undici/pull/2061) - docs: fix tables in README by [@​regseb](https://github.com/regseb) in [https://github.com/nodejs/undici/pull/2254](https://github.com/nodejs/undici/pull/2254) - Fix http2 fetch test by [@​mcollina](https://github.com/mcollina) in [https://github.com/nodejs/undici/pull/2253](https://github.com/nodejs/undici/pull/2253) #### New Contributors - [@​NBNGaming](https://github.com/NBNGaming) made their first contribution in [https://github.com/nodejs/undici/pull/2162](https://github.com/nodejs/undici/pull/2162) - [@​capaj](https://github.com/capaj) made their first contribution in [https://github.com/nodejs/undici/pull/2220](https://github.com/nodejs/undici/pull/2220) - [@​regseb](https://github.com/regseb) made their first contribution in [https://github.com/nodejs/undici/pull/2254](https://github.com/nodejs/undici/pull/2254) **Full Changelog**: nodejs/undici@v5.23.0...v5.24.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/specfy/specfy). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xOS4yIiwidXBkYXRlZEluVmVyIjoiMzcuMTkuMiIsInRhcmdldEJyYW5jaCI6ImNob3JlL3Jlbm92YXRlQmFzZUJyYW5jaCJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
kodiakhq bot
referenced
this pull request
in ascorbic/unpic-img
Nov 12, 2023
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [undici](https://undici.nodejs.org) ([source](https://github.com/nodejs/undici)) | [`5.25.4` -> `5.27.2`](https://renovatebot.com/diffs/npm/undici/5.25.4/5.27.2) | [![age](https://developer.mend.io/api/mc/badges/age/npm/undici/5.27.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/undici/5.27.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/undici/5.25.4/5.27.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/undici/5.25.4/5.27.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>nodejs/undici (undici)</summary> ### [`v5.27.2`](https://github.com/nodejs/undici/releases/tag/v5.27.2) [Compare Source](https://github.com/nodejs/undici/compare/v5.27.1...v5.27.2) **Full Changelog**: nodejs/undici@v5.27.1...v5.27.2 ### [`v5.27.1`](https://github.com/nodejs/undici/releases/tag/v5.27.1) [Compare Source](https://github.com/nodejs/undici/compare/v5.27.0...v5.27.1) #### What's Changed - add regression test by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2376](https://github.com/nodejs/undici/pull/2376) - fix: define conditions when content-length should be sent by [@​pxue](https://github.com/pxue) in [https://github.com/nodejs/undici/pull/2305](https://github.com/nodejs/undici/pull/2305) - refactor: removed unnecessary default by [@​nikelborm](https://github.com/nikelborm) in [https://github.com/nodejs/undici/pull/2381](https://github.com/nodejs/undici/pull/2381) - fix: stream body handling by [@​ronag](https://github.com/ronag) in [https://github.com/nodejs/undici/pull/2391](https://github.com/nodejs/undici/pull/2391) #### New Contributors - [@​pxue](https://github.com/pxue) made their first contribution in [https://github.com/nodejs/undici/pull/2305](https://github.com/nodejs/undici/pull/2305) - [@​nikelborm](https://github.com/nikelborm) made their first contribution in [https://github.com/nodejs/undici/pull/2381](https://github.com/nodejs/undici/pull/2381) **Full Changelog**: nodejs/undici@v5.27.0...v5.27.1 ### [`v5.27.0`](https://github.com/nodejs/undici/releases/tag/v5.27.0) [Compare Source](https://github.com/nodejs/undici/compare/v5.26.5...v5.27.0) #### What's Changed - Use sets and reusable TextEncoder/TextDecoder instances by [@​kibertoad](https://github.com/kibertoad) in [https://github.com/nodejs/undici/pull/2368](https://github.com/nodejs/undici/pull/2368) - feat: forward onRequestSent to handler by [@​ronag](https://github.com/ronag) in [https://github.com/nodejs/undici/pull/2375](https://github.com/nodejs/undici/pull/2375) - skip bundle test on node 16 by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2377](https://github.com/nodejs/undici/pull/2377) - fix windows CI by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2379](https://github.com/nodejs/undici/pull/2379) **Full Changelog**: nodejs/undici@v5.26.5...v5.27.0 ### [`v5.26.5`](https://github.com/nodejs/undici/releases/tag/v5.26.5) [Compare Source](https://github.com/nodejs/undici/compare/v5.26.4...v5.26.5) #### What's Changed - Drop race condition in connect-timeout test by [@​mcollina](https://github.com/mcollina) in [https://github.com/nodejs/undici/pull/2360](https://github.com/nodejs/undici/pull/2360) - Remove a couple of unnecessary async functions by [@​kibertoad](https://github.com/kibertoad) in [https://github.com/nodejs/undici/pull/2367](https://github.com/nodejs/undici/pull/2367) - Update namespace type with Fetch exports by [@​Ethan-Arrowood](https://github.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2361](https://github.com/nodejs/undici/pull/2361) **Full Changelog**: nodejs/undici@v5.26.4...v5.26.5 ### [`v5.26.4`](https://github.com/nodejs/undici/releases/tag/v5.26.4) [Compare Source](https://github.com/nodejs/undici/compare/v5.26.3...v5.26.4) #### What's Changed - use esbuild define/hooks by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2342](https://github.com/nodejs/undici/pull/2342) - fix request's arrayBuffer returning uint8 instead of arraybuffer by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2344](https://github.com/nodejs/undici/pull/2344) - fix: skip readMore call if parser is null or undefined by [@​iiAku](https://github.com/iiAku) in [https://github.com/nodejs/undici/pull/2346](https://github.com/nodejs/undici/pull/2346) - test: first attempt for flaky fix by [@​metcoder95](https://github.com/metcoder95) in [https://github.com/nodejs/undici/pull/2337](https://github.com/nodejs/undici/pull/2337) - test: only include WebSocket in WPT Report where it's landed by [@​panva](https://github.com/panva) in [https://github.com/nodejs/undici/pull/2351](https://github.com/nodejs/undici/pull/2351) - Update DispatchInterceptor.md by [@​Uzlopak](https://github.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2354](https://github.com/nodejs/undici/pull/2354) - fix: Avoid error for stream() being aborted by [@​BobNobrain](https://github.com/BobNobrain) in [https://github.com/nodejs/undici/pull/2355](https://github.com/nodejs/undici/pull/2355) - fix names with esbuild by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2359](https://github.com/nodejs/undici/pull/2359) #### New Contributors - [@​iiAku](https://github.com/iiAku) made their first contribution in [https://github.com/nodejs/undici/pull/2346](https://github.com/nodejs/undici/pull/2346) - [@​Uzlopak](https://github.com/Uzlopak) made their first contribution in [https://github.com/nodejs/undici/pull/2354](https://github.com/nodejs/undici/pull/2354) - [@​BobNobrain](https://github.com/BobNobrain) made their first contribution in [https://github.com/nodejs/undici/pull/2355](https://github.com/nodejs/undici/pull/2355) **Full Changelog**: nodejs/undici@v5.26.3...v5.26.4 ### [`v5.26.3`](https://github.com/nodejs/undici/compare/12a62187d45f332cf39dd405f7c52b759cf40cdd...227b9bedf233f741b86dda4ae9d1c7ad69f5d75c) [Compare Source](https://github.com/nodejs/undici/compare/v5.26.2...v5.26.3) ### [`v5.26.2`](https://github.com/nodejs/undici/releases/tag/v5.26.2) [Compare Source](https://github.com/nodejs/undici/compare/v5.26.1...v5.26.2) Security Release, CVE-2023-45143. ### [`v5.26.1`](https://github.com/nodejs/undici/releases/tag/v5.26.1) [Compare Source](https://github.com/nodejs/undici/compare/v5.26.0...v5.26.1) #### What's Changed - Fix publish undici-types once and for all! by [@​Ethan-Arrowood](https://github.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2338](https://github.com/nodejs/undici/pull/2338) - Fix node detection omfg by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2341](https://github.com/nodejs/undici/pull/2341) **Full Changelog**: nodejs/undici@v5.26.0...v5.26.1 ### [`v5.26.0`](https://github.com/nodejs/undici/releases/tag/v5.26.0) [Compare Source](https://github.com/nodejs/undici/compare/5e654f351a9a813fed3e9feff4388b5c4fbda787...v5.26.0) #### What's Changed - use npm install instead of npm ci by [@​Ethan-Arrowood](https://github.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2309](https://github.com/nodejs/undici/pull/2309) - change default header to `node` by [@​Ethan-Arrowood](https://github.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2310](https://github.com/nodejs/undici/pull/2310) - chore: change order of the pseudo-headers by [@​kyrylodolynskyi](https://github.com/kyrylodolynskyi) in [https://github.com/nodejs/undici/pull/2308](https://github.com/nodejs/undici/pull/2308) - fix: Agent.Options.factory should accept URL object or string as parameter by [@​nicole0707](https://github.com/nicole0707) in [https://github.com/nodejs/undici/pull/2295](https://github.com/nodejs/undici/pull/2295) - build(deps-dev): bump sinon from 15.2.0 to 16.1.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2312](https://github.com/nodejs/undici/pull/2312) - test: handle npm ignore-scripts settings by [@​panva](https://github.com/panva) in [https://github.com/nodejs/undici/pull/2313](https://github.com/nodejs/undici/pull/2313) - feat: respect `--max-http-header-size` Node.js flag by [@​balazsorban44](https://github.com/balazsorban44) in [https://github.com/nodejs/undici/pull/2234](https://github.com/nodejs/undici/pull/2234) - fix([#​2311](https://github.com/nodejs/undici/issues/2311)): End stream after body sent by [@​metcoder95](https://github.com/metcoder95) in [https://github.com/nodejs/undici/pull/2314](https://github.com/nodejs/undici/pull/2314) - disallow setting host header in fetch by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2322](https://github.com/nodejs/undici/pull/2322) - \[StepSecurity] ci: Harden GitHub Actions by [@​step-security-bot](https://github.com/step-security-bot) in [https://github.com/nodejs/undici/pull/2325](https://github.com/nodejs/undici/pull/2325) - fix fetch with coverage enabled by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2330](https://github.com/nodejs/undici/pull/2330) - Fix stuck when using http2 POST Buffer by [@​binsee](https://github.com/binsee) in [https://github.com/nodejs/undici/pull/2336](https://github.com/nodejs/undici/pull/2336) - fix: 🏷️ add allowH2 to BuildOptions by [@​binsee](https://github.com/binsee) in [https://github.com/nodejs/undici/pull/2334](https://github.com/nodejs/undici/pull/2334) - fix: 🐛 fix process http2 header by [@​binsee](https://github.com/binsee) in [https://github.com/nodejs/undici/pull/2332](https://github.com/nodejs/undici/pull/2332) #### New Contributors - [@​kyrylodolynskyi](https://github.com/kyrylodolynskyi) made their first contribution in [https://github.com/nodejs/undici/pull/2308](https://github.com/nodejs/undici/pull/2308) - [@​nicole0707](https://github.com/nicole0707) made their first contribution in [https://github.com/nodejs/undici/pull/2295](https://github.com/nodejs/undici/pull/2295) - [@​balazsorban44](https://github.com/balazsorban44) made their first contribution in [https://github.com/nodejs/undici/pull/2234](https://github.com/nodejs/undici/pull/2234) - [@​binsee](https://github.com/binsee) made their first contribution in [https://github.com/nodejs/undici/pull/2336](https://github.com/nodejs/undici/pull/2336) **Full Changelog**: nodejs/undici@v5.23.4...v5.26.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 9pm on sunday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/ascorbic/unpic-img). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40Ni4wIiwidXBkYXRlZEluVmVyIjoiMzcuNDYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
louis-bompart
referenced
this pull request
in coveo/cli
Jan 16, 2024
…#1402) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [undici](https://undici.nodejs.org) ([source](https://github.com/nodejs/undici)) | [`5.22.0` -> `5.26.2`](https://renovatebot.com/diffs/npm/undici/5.22.0/5.26.2) | [![age](https://developer.mend.io/api/mc/badges/age/npm/undici/5.26.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/undici/5.26.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/undici/5.22.0/5.26.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/undici/5.22.0/5.26.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2023-45143](https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp) ### Impact Undici clears Authorization headers on cross-origin redirects, but does not clear `Cookie` headers. By design, `cookie` headers are [forbidden request headers](https://fetch.spec.whatwg.org/#forbidden-request-header), disallowing them to be set in `RequestInit.headers` in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. ### Patches This was patched in [e041de359221ebeae04c469e8aff4145764e6d76](https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76), which is included in version 5.26.2. --- ### Release Notes <details> <summary>nodejs/undici (undici)</summary> ### [`v5.26.2`](https://github.com/nodejs/undici/releases/tag/v5.26.2) [Compare Source](https://github.com/nodejs/undici/compare/v5.26.1...v5.26.2) Security Release, CVE-2023-45143. ### [`v5.26.1`](https://github.com/nodejs/undici/releases/tag/v5.26.1) [Compare Source](https://github.com/nodejs/undici/compare/v5.26.0...v5.26.1) #### What's Changed - Fix publish undici-types once and for all! by [@​Ethan-Arrowood](https://github.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2338](https://github.com/nodejs/undici/pull/2338) - Fix node detection omfg by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2341](https://github.com/nodejs/undici/pull/2341) **Full Changelog**: nodejs/undici@v5.26.0...v5.26.1 ### [`v5.26.0`](https://github.com/nodejs/undici/releases/tag/v5.26.0) [Compare Source](https://github.com/nodejs/undici/compare/5e654f351a9a813fed3e9feff4388b5c4fbda787...v5.26.0) #### What's Changed - use npm install instead of npm ci by [@​Ethan-Arrowood](https://github.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2309](https://github.com/nodejs/undici/pull/2309) - change default header to `node` by [@​Ethan-Arrowood](https://github.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2310](https://github.com/nodejs/undici/pull/2310) - chore: change order of the pseudo-headers by [@​kyrylodolynskyi](https://github.com/kyrylodolynskyi) in [https://github.com/nodejs/undici/pull/2308](https://github.com/nodejs/undici/pull/2308) - fix: Agent.Options.factory should accept URL object or string as parameter by [@​nicole0707](https://github.com/nicole0707) in [https://github.com/nodejs/undici/pull/2295](https://github.com/nodejs/undici/pull/2295) - build(deps-dev): bump sinon from 15.2.0 to 16.1.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2312](https://github.com/nodejs/undici/pull/2312) - test: handle npm ignore-scripts settings by [@​panva](https://github.com/panva) in [https://github.com/nodejs/undici/pull/2313](https://github.com/nodejs/undici/pull/2313) - feat: respect `--max-http-header-size` Node.js flag by [@​balazsorban44](https://github.com/balazsorban44) in [https://github.com/nodejs/undici/pull/2234](https://github.com/nodejs/undici/pull/2234) - fix([#​2311](https://github.com/nodejs/undici/issues/2311)): End stream after body sent by [@​metcoder95](https://github.com/metcoder95) in [https://github.com/nodejs/undici/pull/2314](https://github.com/nodejs/undici/pull/2314) - disallow setting host header in fetch by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2322](https://github.com/nodejs/undici/pull/2322) - \[StepSecurity] ci: Harden GitHub Actions by [@​step-security-bot](https://github.com/step-security-bot) in [https://github.com/nodejs/undici/pull/2325](https://github.com/nodejs/undici/pull/2325) - fix fetch with coverage enabled by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2330](https://github.com/nodejs/undici/pull/2330) - Fix stuck when using http2 POST Buffer by [@​binsee](https://github.com/binsee) in [https://github.com/nodejs/undici/pull/2336](https://github.com/nodejs/undici/pull/2336) - fix: 🏷️ add allowH2 to BuildOptions by [@​binsee](https://github.com/binsee) in [https://github.com/nodejs/undici/pull/2334](https://github.com/nodejs/undici/pull/2334) - fix: 🐛 fix process http2 header by [@​binsee](https://github.com/binsee) in [https://github.com/nodejs/undici/pull/2332](https://github.com/nodejs/undici/pull/2332) #### New Contributors - [@​kyrylodolynskyi](https://github.com/kyrylodolynskyi) made their first contribution in [https://github.com/nodejs/undici/pull/2308](https://github.com/nodejs/undici/pull/2308) - [@​nicole0707](https://github.com/nicole0707) made their first contribution in [https://github.com/nodejs/undici/pull/2295](https://github.com/nodejs/undici/pull/2295) - [@​balazsorban44](https://github.com/balazsorban44) made their first contribution in [https://github.com/nodejs/undici/pull/2234](https://github.com/nodejs/undici/pull/2234) - [@​binsee](https://github.com/binsee) made their first contribution in [https://github.com/nodejs/undici/pull/2336](https://github.com/nodejs/undici/pull/2336) **Full Changelog**: nodejs/undici@v5.23.4...v5.26.0 ### [`v5.25.4`](https://github.com/nodejs/undici/compare/v5.25.3...5e654f351a9a813fed3e9feff4388b5c4fbda787) [Compare Source](https://github.com/nodejs/undici/compare/v5.25.3...5e654f351a9a813fed3e9feff4388b5c4fbda787) ### [`v5.25.3`](https://github.com/nodejs/undici/releases/tag/v5.25.3) [Compare Source](https://github.com/nodejs/undici/compare/v5.25.2...v5.25.3) #### What's Changed - perf: improve parse-url implementation by [@​anonrig](https://github.com/anonrig) in [https://github.com/nodejs/undici/pull/2286](https://github.com/nodejs/undici/pull/2286) - test: enable websockets inclusion in WPTReport by [@​panva](https://github.com/panva) in [https://github.com/nodejs/undici/pull/2284](https://github.com/nodejs/undici/pull/2284) - remove npm run test from pre-commit hook by [@​dancastillo](https://github.com/dancastillo) in [https://github.com/nodejs/undici/pull/2296](https://github.com/nodejs/undici/pull/2296) - perf: use [@​fastify/busboy](https://github.com/fastify/busboy) by [@​gurgunday](https://github.com/gurgunday) in [https://github.com/nodejs/undici/pull/2211](https://github.com/nodejs/undici/pull/2211) - Disable finalizationregistry if node code cov by [@​mcollina](https://github.com/mcollina) in [https://github.com/nodejs/undici/pull/2298](https://github.com/nodejs/undici/pull/2298) #### New Contributors - [@​gurgunday](https://github.com/gurgunday) made their first contribution in [https://github.com/nodejs/undici/pull/2211](https://github.com/nodejs/undici/pull/2211) **Full Changelog**: nodejs/undici@v5.25.2...v5.25.3 ### [`v5.25.2`](https://github.com/nodejs/undici/releases/tag/v5.25.2) [Compare Source](https://github.com/nodejs/undici/compare/v5.25.1...v5.25.2) #### What's Changed - Add Khaf to releasers by [@​mcollina](https://github.com/mcollina) in [https://github.com/nodejs/undici/pull/2276](https://github.com/nodejs/undici/pull/2276) - fix: fix request with readable mode is object by [@​killagu](https://github.com/killagu) in [https://github.com/nodejs/undici/pull/2279](https://github.com/nodejs/undici/pull/2279) - fix loading websockets when node is built w/ --without-ssl by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2282](https://github.com/nodejs/undici/pull/2282) #### New Contributors - [@​killagu](https://github.com/killagu) made their first contribution in [https://github.com/nodejs/undici/pull/2279](https://github.com/nodejs/undici/pull/2279) **Full Changelog**: nodejs/undici@v5.25.1...v5.25.2 ### [`v5.25.1`](https://github.com/nodejs/undici/releases/tag/v5.25.1) [Compare Source](https://github.com/nodejs/undici/compare/v5.25.0...v5.25.1) #### What's Changed - Add publish types script by [@​Ethan-Arrowood](https://github.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2273](https://github.com/nodejs/undici/pull/2273) **Full Changelog**: nodejs/undici@v5.25.0...v5.25.1 ### [`v5.25.0`](https://github.com/nodejs/undici/releases/tag/v5.25.0) [Compare Source](https://github.com/nodejs/undici/compare/v5.24.0...v5.25.0) #### What's Changed - fix: h2 without body by [@​metcoder95](https://github.com/metcoder95) in [https://github.com/nodejs/undici/pull/2258](https://github.com/nodejs/undici/pull/2258) - ci: remove duplicated runs by [@​metcoder95](https://github.com/metcoder95) in [https://github.com/nodejs/undici/pull/2265](https://github.com/nodejs/undici/pull/2265) - improve documentation of timeouts by making the units clear in all places by [@​mcfedr](https://github.com/mcfedr) in [https://github.com/nodejs/undici/pull/2266](https://github.com/nodejs/undici/pull/2266) - expose websocket in node bundle by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2217](https://github.com/nodejs/undici/pull/2217) - test: fix Fetch/HTTP2 tests by [@​metcoder95](https://github.com/metcoder95) in [https://github.com/nodejs/undici/pull/2263](https://github.com/nodejs/undici/pull/2263) - fix undici when node is built with --without-ssl by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2272](https://github.com/nodejs/undici/pull/2272) - fix: Fix type definition for Client Interceptors by [@​ComradeCow](https://github.com/ComradeCow) in [https://github.com/nodejs/undici/pull/2269](https://github.com/nodejs/undici/pull/2269) - Fix http2 agent by [@​mcollina](https://github.com/mcollina) in [https://github.com/nodejs/undici/pull/2275](https://github.com/nodejs/undici/pull/2275) #### New Contributors - [@​ComradeCow](https://github.com/ComradeCow) made their first contribution in [https://github.com/nodejs/undici/pull/2269](https://github.com/nodejs/undici/pull/2269) **Full Changelog**: nodejs/undici@v5.24.0...v5.25.0 ### [`v5.24.0`](https://github.com/nodejs/undici/releases/tag/v5.24.0) [Compare Source](https://github.com/nodejs/undici/compare/v5.23.0...v5.24.0) #### Notable Changes - feat: Add H2 support by [@​metcoder95](https://github.com/metcoder95) in [https://github.com/nodejs/undici/pull/2061](https://github.com/nodejs/undici/pull/2061) #### What's Changed - build(deps): bump step-security/harden-runner from 2.4.1 to 2.5.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2203](https://github.com/nodejs/undici/pull/2203) - better stack trace for body.json by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2215](https://github.com/nodejs/undici/pull/2215) - allow http & https websocket urls by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2218](https://github.com/nodejs/undici/pull/2218) - build(deps-dev): bump [@​sinonjs/fake-timers](https://github.com/sinonjs/fake-timers) from 10.3.0 to 11.1.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2221](https://github.com/nodejs/undici/pull/2221) - fix: pass ProxyAgent proxy status code error by [@​NBNGaming](https://github.com/NBNGaming) in [https://github.com/nodejs/undici/pull/2162](https://github.com/nodejs/undici/pull/2162) - fix failing test by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2223](https://github.com/nodejs/undici/pull/2223) - docs: update MockPool.md intercept method description by [@​capaj](https://github.com/capaj) in [https://github.com/nodejs/undici/pull/2220](https://github.com/nodejs/undici/pull/2220) - Update wpts by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2226](https://github.com/nodejs/undici/pull/2226) - build(deps): bump github/codeql-action from 2.21.2 to 2.21.5 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2240](https://github.com/nodejs/undici/pull/2240) - build(deps): bump actions/setup-node from 3.6.0 to 3.8.1 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2237](https://github.com/nodejs/undici/pull/2237) - build(deps): bump fastify/github-action-merge-dependabot from 3.9.0 to 3.9.1 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2236](https://github.com/nodejs/undici/pull/2236) - build(deps): bump actions/checkout from 3.5.3 to 3.6.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2241](https://github.com/nodejs/undici/pull/2241) - build(deps): bump actions/dependency-review-action from 3.0.6 to 3.0.8 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2238](https://github.com/nodejs/undici/pull/2238) - fix: aborting request with non-object error by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2243](https://github.com/nodejs/undici/pull/2243) - fix: preserve file path when parsing formdata by [@​jimmywarting](https://github.com/jimmywarting) in [https://github.com/nodejs/undici/pull/2245](https://github.com/nodejs/undici/pull/2245) - build(deps-dev): bump tsd from 0.28.1 to 0.29.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2246](https://github.com/nodejs/undici/pull/2246) - Updated benchmarks by [@​mcollina](https://github.com/mcollina) in [https://github.com/nodejs/undici/pull/2250](https://github.com/nodejs/undici/pull/2250) - Fix fetch in node v20.6.0 by [@​mcollina](https://github.com/mcollina) in [https://github.com/nodejs/undici/pull/2251](https://github.com/nodejs/undici/pull/2251) - Maybe fix v20 by [@​mcollina](https://github.com/mcollina) in [https://github.com/nodejs/undici/pull/2252](https://github.com/nodejs/undici/pull/2252) - feat: Add H2 support by [@​metcoder95](https://github.com/metcoder95) in [https://github.com/nodejs/undici/pull/2061](https://github.com/nodejs/undici/pull/2061) - docs: fix tables in README by [@​regseb](https://github.com/regseb) in [https://github.com/nodejs/undici/pull/2254](https://github.com/nodejs/undici/pull/2254) - Fix http2 fetch test by [@​mcollina](https://github.com/mcollina) in [https://github.com/nodejs/undici/pull/2253](https://github.com/nodejs/undici/pull/2253) #### New Contributors - [@​NBNGaming](https://github.com/NBNGaming) made their first contribution in [https://github.com/nodejs/undici/pull/2162](https://github.com/nodejs/undici/pull/2162) - [@​capaj](https://github.com/capaj) made their first contribution in [https://github.com/nodejs/undici/pull/2220](https://github.com/nodejs/undici/pull/2220) - [@​regseb](https://github.com/regseb) made their first contribution in [https://github.com/nodejs/undici/pull/2254](https://github.com/nodejs/undici/pull/2254) **Full Changelog**: nodejs/undici@v5.23.0...v5.24.0 ### [`v5.23.0`](https://github.com/nodejs/undici/releases/tag/v5.23.0) [Compare Source](https://github.com/nodejs/undici/compare/v5.22.1...v5.23.0) #### What's Changed - bump engines to node >= 16 by [@​ronag](https://github.com/ronag) in [https://github.com/nodejs/undici/pull/2119](https://github.com/nodejs/undici/pull/2119) - Revert "bump engines to node >= 16 ([#​2119](https://github.com/nodejs/undici/issues/2119))" by [@​ronag](https://github.com/ronag) in [https://github.com/nodejs/undici/pull/2121](https://github.com/nodejs/undici/pull/2121) - fetch: set referrer properly by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2125](https://github.com/nodejs/undici/pull/2125) - fix: support truncated gzip by [@​jimmywarting](https://github.com/jimmywarting) in [https://github.com/nodejs/undici/pull/2126](https://github.com/nodejs/undici/pull/2126) - workflow: apply security best practices by [@​step-security-bot](https://github.com/step-security-bot) in [https://github.com/nodejs/undici/pull/2130](https://github.com/nodejs/undici/pull/2130) - build(deps): bump actions/upload-artifact from 3.1.0 to 3.1.2 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2135](https://github.com/nodejs/undici/pull/2135) - build(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.4 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2133](https://github.com/nodejs/undici/pull/2133) - build(deps): bump node from 18-alpine to 20-alpine in /build by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2131](https://github.com/nodejs/undici/pull/2131) - build(deps): bump pkgjs/action from 0.1.6 to 0.1.7 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2136](https://github.com/nodejs/undici/pull/2136) - build(deps): bump actions/checkout from 3.1.0 to 3.5.2 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2132](https://github.com/nodejs/undici/pull/2132) - build(deps-dev): bump jsdom from 21.1.2 to 22.1.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2142](https://github.com/nodejs/undici/pull/2142) - build(deps): bump fastify/github-action-merge-dependabot from 3.7.0 to 3.8.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2148](https://github.com/nodejs/undici/pull/2148) - fix(pr): use correct pr template file by [@​AugustinMauroy](https://github.com/AugustinMauroy) in [https://github.com/nodejs/undici/pull/2141](https://github.com/nodejs/undici/pull/2141) - Additional WebSocket send tests to cover all payload size categories by [@​jawj](https://github.com/jawj) in [https://github.com/nodejs/undici/pull/2149](https://github.com/nodejs/undici/pull/2149) - fix: reverse decompression order of "Content-Encoding" encodings (fixes [#​2158](https://github.com/nodejs/undici/issues/2158)) by [@​rychkog](https://github.com/rychkog) in [https://github.com/nodejs/undici/pull/2159](https://github.com/nodejs/undici/pull/2159) - fix: keep running WPTs if a test times out by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2165](https://github.com/nodejs/undici/pull/2165) - feat: add build environment info by [@​mhdawson](https://github.com/mhdawson) in [https://github.com/nodejs/undici/pull/2168](https://github.com/nodejs/undici/pull/2168) - fix: forward error reason to fetch controller by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2172](https://github.com/nodejs/undici/pull/2172) - stricter types for bodymixin.json by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2181](https://github.com/nodejs/undici/pull/2181) - chore: Renable autoSelectFamily tests. by [@​ShogunPanda](https://github.com/ShogunPanda) in [https://github.com/nodejs/undici/pull/2180](https://github.com/nodejs/undici/pull/2180) - build(deps): bump actions/dependency-review-action from 3.0.4 to 3.0.6 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2147](https://github.com/nodejs/undici/pull/2147) - build(deps): bump github/codeql-action from 2.3.2 to 2.20.3 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2185](https://github.com/nodejs/undici/pull/2185) - fix: fetch resource timing performance entry names should be strings by [@​GaryWilber](https://github.com/GaryWilber) in [https://github.com/nodejs/undici/pull/2188](https://github.com/nodejs/undici/pull/2188) - build(deps): bump actions/checkout from 3.5.2 to 3.5.3 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2176](https://github.com/nodejs/undici/pull/2176) - build(deps): bump fastify/github-action-merge-dependabot from 3.8.0 to 3.9.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2177](https://github.com/nodejs/undici/pull/2177) - build(deps): bump ossf/scorecard-action from 2.1.3 to 2.2.0 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2178](https://github.com/nodejs/undici/pull/2178) - build(deps): bump step-security/harden-runner from 2.4.0 to 2.4.1 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2175](https://github.com/nodejs/undici/pull/2175) - test: fix `autoselectfamily` on platforms without IPv6 support by [@​LiviaMedeiros](https://github.com/LiviaMedeiros) in [https://github.com/nodejs/undici/pull/2197](https://github.com/nodejs/undici/pull/2197) - fix: make multipart/form-data boundary string more consistent by [@​LiviaMedeiros](https://github.com/LiviaMedeiros) in [https://github.com/nodejs/undici/pull/2196](https://github.com/nodejs/undici/pull/2196) - docs: add proxy agent options docs by [@​dancastillo](https://github.com/dancastillo) in [https://github.com/nodejs/undici/pull/2193](https://github.com/nodejs/undici/pull/2193) - build(deps): bump github/codeql-action from 2.20.3 to 2.21.2 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2205](https://github.com/nodejs/undici/pull/2205) - feat: make use of `addAbortListener` where applicable by [@​atlowChemi](https://github.com/atlowChemi) in [https://github.com/nodejs/undici/pull/2195](https://github.com/nodejs/undici/pull/2195) #### New Contributors - [@​step-security-bot](https://github.com/step-security-bot) made their first contribution in [https://github.com/nodejs/undici/pull/2130](https://github.com/nodejs/undici/pull/2130) - [@​AugustinMauroy](https://github.com/AugustinMauroy) made their first contribution in [https://github.com/nodejs/undici/pull/2141](https://github.com/nodejs/undici/pull/2141) - [@​rychkog](https://github.com/rychkog) made their first contribution in [https://github.com/nodejs/undici/pull/2159](https://github.com/nodejs/undici/pull/2159) - [@​mhdawson](https://github.com/mhdawson) made their first contribution in [https://github.com/nodejs/undici/pull/2168](https://github.com/nodejs/undici/pull/2168) - [@​GaryWilber](https://github.com/GaryWilber) made their first contribution in [https://github.com/nodejs/undici/pull/2188](https://github.com/nodejs/undici/pull/2188) - [@​atlowChemi](https://github.com/atlowChemi) made their first contribution in [https://github.com/nodejs/undici/pull/2195](https://github.com/nodejs/undici/pull/2195) **Full Changelog**: nodejs/undici@v5.22.1...v5.23.0 ### [`v5.22.1`](https://github.com/nodejs/undici/releases/tag/v5.22.1) [Compare Source](https://github.com/nodejs/undici/compare/v5.22.0...v5.22.1) #### What's Changed - Cache storage by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2076](https://github.com/nodejs/undici/pull/2076) - test: skip content-disposition test in node 18 by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2081](https://github.com/nodejs/undici/pull/2081) - Cache storage cleanup by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2082](https://github.com/nodejs/undici/pull/2082) - Cache storage fixes by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2083](https://github.com/nodejs/undici/pull/2083) - test: improve test coverage for ErrorEvent and MessageEvent by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2085](https://github.com/nodejs/undici/pull/2085) - test: remove --experimental-wasm-simd by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2087](https://github.com/nodejs/undici/pull/2087) - websocket: add websocketinit by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2088](https://github.com/nodejs/undici/pull/2088) - feat(websocket): allow setting custom headers by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2089](https://github.com/nodejs/undici/pull/2089) - test: fix tests failing only on node v20 by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2096](https://github.com/nodejs/undici/pull/2096) - fix: skip set content-length when FormData value is stream by [@​fengmk2](https://github.com/fengmk2) in [https://github.com/nodejs/undici/pull/2091](https://github.com/nodejs/undici/pull/2091) - doc: update outdated command in contributing.md by [@​jazelly](https://github.com/jazelly) in [https://github.com/nodejs/undici/pull/2099](https://github.com/nodejs/undici/pull/2099) - cache: fix most failing WPTs by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2100](https://github.com/nodejs/undici/pull/2100) - feat: allow build:wasm to auto detect platform by [@​jazelly](https://github.com/jazelly) in [https://github.com/nodejs/undici/pull/2102](https://github.com/nodejs/undici/pull/2102) - docs: updated Error documentation (fixes [#​2090](https://github.com/nodejs/undici/issues/2090)) by [@​titanism](https://github.com/titanism) in [https://github.com/nodejs/undici/pull/2092](https://github.com/nodejs/undici/pull/2092) - mimesniff: fix many broken tests by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2103](https://github.com/nodejs/undici/pull/2103) - test: fix failing tests by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2097](https://github.com/nodejs/undici/pull/2097) - build(deps): bump github/codeql-action from 2.2.9 to 2.3.2 by [@​dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2105](https://github.com/nodejs/undici/pull/2105) - fix: more informative error message to tell that the server doesn't match http/1.1 protocol by [@​Songkeys](https://github.com/Songkeys) in [https://github.com/nodejs/undici/pull/2055](https://github.com/nodejs/undici/pull/2055) - Fix bug in 16-bit frame length when buffer is a subarray by [@​jawj](https://github.com/jawj) in [https://github.com/nodejs/undici/pull/2106](https://github.com/nodejs/undici/pull/2106) - update wpts by [@​KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2108](https://github.com/nodejs/undici/pull/2108) - fix: update error definitions by [@​dfilatov](https://github.com/dfilatov) in [https://github.com/nodejs/undici/pull/2112](https://github.com/nodejs/undici/pull/2112) - fix: make assertion a noop by [@​ronag](https://github.com/ronag) in [https://github.com/nodejs/undici/pull/2111](https://github.com/nodejs/undici/pull/2111) #### New Contributors - [@​jazelly](https://github.com/jazelly) made their first contribution in [https://github.com/nodejs/undici/pull/2099](https://github.com/nodejs/undici/pull/2099) - [@​titanism](https://github.com/titanism) made their first contribution in [https://github.com/nodejs/undici/pull/2092](https://github.com/nodejs/undici/pull/2092) - [@​Songkeys](https://github.com/Songkeys) made their first contribution in [https://github.com/nodejs/undici/pull/2055](https://github.com/nodejs/undici/pull/2055) - [@​jawj](https://github.com/jawj) made their first contribution in [https://github.com/nodejs/undici/pull/2106](https://github.com/nodejs/undici/pull/2106) - [@​dfilatov](https://github.com/dfilatov) made their first contribution in [https://github.com/nodejs/undici/pull/2112](https://github.com/nodejs/undici/pull/2112) **Full Changelog**: nodejs/undici@v5.22.0...v5.22.1 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/coveo/cli). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy41OS44IiwidXBkYXRlZEluVmVyIjoiMzcuODEuMyIsInRhcmdldEJyYW5jaCI6Im1hc3RlciJ9--> --------- Co-authored-by: developer-experience-bot[bot] <91079284+developer-experience-bot[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
crysmags
pushed a commit
to crysmags/undici
that referenced
this pull request
Feb 27, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This pull request is created by Secure Repo at the request of @RafaelGSS. Please merge the Pull Request to incorporate the requested changes. Please tag @RafaelGSS on your message if you have any questions related to the PR. You can also engage with the StepSecurity team by tagging @step-security-bot.
Refs: nodejs/security-wg#859
Security Fixes
Least Privileged GitHub Actions Token Permissions
The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN.
Pinned Dependencies
GitHub Action tags and Docker tags are mutatble. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.
Feedback
For bug reports, feature requests, and general feedback; please create an issue in step-security/secure-repo. To create such PRs, please visit https://app.stepsecurity.io/securerepo.
Signed-off-by: StepSecurity Bot bot@stepsecurity.io